Memory forensic:

Memory forensic is a method to identify a trail of footprint in a computer that was infected/under
attack/compromise. In order to provide a quality investigation report (and in case a court want our
investigation as evidence) we must do our best in order to preserve our memory dump and do the
minimum required steps in order to ensure our conclusion. We must be as careful as possible not to
create any file or change values that might affect the memory dump.

Concept: the idea behind a memory forensic is that any attack on a computer leave trails just like in a
crime scene. This can be in the log files or in a registry keys or even in the memory itself. For example, if
a malware changes the value of a key in a registry in order to have persistent ability on the compromise
device. This will appear also in the logs of the device and also in the memory itself.

Responsibility: as I said above our responsibility is to ensure we won’t corrupt a memory dump that
might lead to a trail. Therefore, as a general rule of thumb once we have the memory dump we will
duplicate it so we won’t harm our original copy. Whenever analyzing the memory dump we must do so
with the minimum amount of steps required so we can ensure we don’t delete or create unintended file
that can alter the result of the investigation.

Tools: there are a lot of tools that can dump the memory and analyze it however we will use the most
commonly used tool in the industry (both are free) the first one is dumpit and the second is volatility.

Dumpit: dumpit is a free to use software that can “dump” all the memory on your system to a file. (note,
this file will equal to the amount of memory your device has. For example, if your computer has 16GB of
ram the file will be 16GB even if not all your ram is occupied). Once done the file that dumpit created
will be a “raw” file type.

Volatility: Volatility is an open-source memory forensics framework for incident response and
malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux.
Since volatility is a massive framework we won’t be able to go through all its functionality here.
However, I linked a “cheat-sheet” to volatility framework in the last page. Among the many thing
Volatility can do is memory dump and reading memory “raw” file.
Sleuth kit: sleuth kit is a collection of command line tools and a C library that allows you to analyze disk
images and recover files from them. It is used behind the scenes in Autopsy and many other open
source and commercial forensics tools. Some popular Commands on TSK4 are:

 blkcalc - Converts between unallocated disk unit numbers and regular disk unit numbers.

 blkcat - Display the contents of file system data unit in a disk image.

 blkls - List or output file system data units.

 blkstat - Display details of a file system data unit (i.e. block or sector).

 fcat - Output the contents of a file based on its name.

 ffind - Finds the name of the file or directory using a given inode.

 fiwalk - print the filesystem statistics and exit.

 fls - List file and directory names in a disk image.

 fsstat - Display general details of a file system.

 hfind - Lookup a hash value in a hash database.

 icat - Output the contents of a file based on its inode number.

 ifind - Find the meta-data structure that has allocated a given disk unit or file name.

 ils - List inode information.

 img_cat - Output contents of an image file.

 img_stat - Display details of an image file.

 istat - Display details of a meta-data structure (i.e. inode).

 jcat - Show the contents of a block in the file system journal.

 jls - List the contents of a file system journal.

 jpeg_extract - jpeg extractor.

 mactime - Create an ASCII time line of file activity.

 mmcat - Output the contents of a partition to stdout.

 mmls - Display the partition layout of a volume system (partition tables).

 mmstat - Display details about the volume system (partition tables).

 sigfind - Find a binary signature in a file.

 sorter - Sort files in an image into categories based on file type.

 srch_strings - Display printable strings in files.

 tsk_comparedir - compare the contents of a directory with the contents of an image or local device.

 tsk_gettimes - Collect MAC times from a disk image into a body file.

 tsk_loaddb - populate a SQLite database with metadata from a disk image.

 tsk_recover - Export files from an image into a local directory.

Usage: among the many usages of sleuth kit we can find, memory forensic, deleted file recovery from
disk images, deleted file recovery from ram, And much more. This can help us investigate the memory
and reach to the conclusions once a data breach occurs

Methodology: first of all, we want to understand what type of file we are up against. Usually we will run
the ‘file’ command against it. Once we have a clue whether it is a raw file or a file that was investigated
before we can detriment our next move. We may want to continue searching for the lead that the
previous investigator had in mind if it was processed before. However, if this is a ‘fresh’ file we can start
reading it. once we open the file with ‘mmls’ we will be prompted with the file ‘sector’.

We can see that the first byte is a description, then from the first byte until byte number 191 is an
unallocated space in the ram. then the file start after 192 bytes (in this case the file is win95 with file
system as FAT32). And the last byte is 7716863 we can also see the amount of space each sector is
occupying. Once we chose a sector we can least all the files with ‘fls’ command. Furthermore, we can
even see if it is a file or a directory according to the first Colom (r/r, stand for regular. And d/d stand for
directory). On the second Colum we can see the ‘inode’ where the file is located (note that there is a
star near inode 110 this means that the file was deleted)

If we want to open a specific file we can use the ‘icat’ command

If the file was deleted the icat command can helps us to restore the file.

Another command we can use is ils this command will retrieve metadata for a specific file.
Autopsy: autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital
forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what
happened on a computer. You can even use it to recover photos from your camera's memory card.
Autopsy was designed to be intuitive out of the box
External links:

Download volatility: https://www.volatilityfoundation.org/26

Volatility cheat-sheet: https://digital-forensics.sans.org/media/volatility-memory-forensics-cheat-

sheet.pdf

Dumpit: https://qpdownload.com/dumpit/

Sleuth kit download: https://www.sleuthkit.org/sleuthkit/download.php

Sleuth kit cheat-sheet: http://wiki.sleuthkit.org/index.php?title=The_Sleuth_Kit_commands

http://cet4860.pbworks.com/w/file/fetch/120745857/4860.4861.4862.forensic_cheatsheet.pdf

Sleuth kit video: https://www.youtube.com/watch?v=R-IE2j04Chc&feature=youtu.be

Autopsy download: https://www.sleuthkit.org/autopsy/download.php

Recommended YouTube channel for forensic: https://www.youtube.com/user/davisrichardg/videos

Cool slide for sleuth kit: https://www.slideshare.net/ChrisHarrington5/examining-forensics-image-using-

open-source

Case study (using sleuth kit): http://old.honeynet.org/scans/scan29/

Sleuth kit documentation: http://wiki.sleuthkit.org/index.php?title=Main_Page